### Application Gateway SKU Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name/README.md Specifies the SKU for the application gateway. Accepted values for names are Standard_v2 and WAF_v2. This example is a placeholder and should be configured based on requirements. ```terraform sku = { # Accpected value for names Standard_v2 and WAF_v2 } ``` -------------------------------- ### Default Application Gateway Deployment Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/default/README.md This example deploys the Application Gateway module in its most basic configuration, suitable for simple HTTP traffic routing. It requires backend address pools, HTTP settings, frontend ports, gateway IP configuration, and request routing rules. Ensure necessary provider configurations for azurerm and random are present. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 4.0" } random = { source = "hashicorp/random" version = ">= 3.5.0, < 4.0.0" } } } provider "azurerm" { features {} } module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" suffix = ["agw"] } module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.11.0" } resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" backend_address_pools = { appGatewayBackendPool = { name = "appGatewayBackendPool" ip_addresses = ["100.64.2.6", "100.64.2.5"] } } backend_http_settings = { appGatewayBackendHttpSettings = { name = "appGatewayBackendHttpSettings" port = 80 protocol = "Http" cookie_based_affinity = "Disabled" path = "/" request_timeout = 30 connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } } frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 8080 } } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } http_listeners = { appGatewayHttpListener = { name = "appGatewayHttpListener" host_name = null frontend_port_name = "frontend-port-80" } } location = azurerm_resource_group.rg_group.location name = module.naming.application_gateway.name_unique request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "appGatewayHttpListener" backend_address_pool_name = "appGatewayBackendPool" backend_http_settings_name = "appGatewayBackendHttpSettings" priority = 100 } } resource_group_name = azurerm_resource_group.rg_group.name autoscale_configuration = { min_capacity = 2 max_capacity = 3 } public_ip_address_configuration = { public_ip_name = "${module.naming.public_ip.name_unique}-pip" ddos_protection_mode = "Enabled" } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } zones = ["1", "2", "3"] } ``` -------------------------------- ### Terraform Configuration for Application Gateway Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name_privateonly/README.md This example demonstrates how to create an Application Gateway configured with a custom name for an internal-only private IP address. It includes the necessary Terraform providers and modules for naming and region randomization. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azapi = { source = "Azure/azapi" version = "~> 2.0" } azurerm = { source = "hashicorp/azurerm" version = "~> 4.0" } random = { source = "hashicorp/random" version = ">= 3.5.0, < 4.0.0" } } } provider "azurerm" { resource_provider_registrations = "core" features {} } provider "azapi" {} # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.4.0" suffix = ["agw"] } # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.11.0" } ``` -------------------------------- ### Configure Application Gateway with Private IP and Autoscaling Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name/README.md Example of configuring an Application Gateway with a private IP, autoscaling enabled, and zone redundancy. Ensure capacity is set appropriately for autoscaling. ```terraform resource "azurerm_application_gateway" "appgw" { name = "appgw-prod" location = "eastus" resource_group_name = "rg-appgw-prod" sku { name = "Standard_v2" tier = "Standard_v2" capacity = 0 # Set the initial capacity to 0 for autoscaling } frontend_ip_configuration { name = "appGatewayFrontendIP" private_ip_address_id = azurerm_private_endpoint.pe.id } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Optional Input # WAF : Deploy Application Gateway in a zone-redundant configuration # Zone redundancy for the application gateway ["1", "2", "3"] zones = ["1", "2", "3"] } ``` -------------------------------- ### Application Gateway Request Routing Rules Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name/README.md Sets up routing rules to direct incoming traffic to specific backend pools based on listener configurations. This example includes basic routing rules. ```terraform request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "app-Gateway-Http-Listener-80" backend_address_pool_name = "app-Gateway-Backend-Pool-80" backend_http_settings_name = "app-Gateway-Backend-Http-Settings-80" priority = 100 }, routing-rule-2 = { name = "rule-2" rule_type = "Basic" http_listener_name = "app-Gateway-Http-Listener-81" backend_address_pool_name = "app-Gateway-Backend-Pool-81" backend_http_settings_name = "app-Gateway-Backend-Http-Settings-81" priority = 101 } # Add more rules as needed } ``` -------------------------------- ### Application Gateway Public IP Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name/README.md Configures the public IP address for the application gateway. This example shows how to use an existing public IP address resource instead of creating a new one. ```terraform public_ip_address_configuration = { create_public_ip_enabled = false public_ip_resource_id = azurerm_public_ip.public_ip.id } ``` -------------------------------- ### Configure Inline WAF Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Enable the inline (classic) WAF configuration. For new deployments, an external WAF policy is strongly recommended. This configures basic WAF settings and rule exclusions. ```hcl waf_configuration = { enabled = true firewall_mode = "Prevention" # or "Detection" rule_set_type = "OWASP" rule_set_version = "3.2" file_upload_limit_mb = 100 max_request_body_size_kb = 128 request_body_check = true disabled_rule_group = [ { rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" rules = [942100, 942110] } ] exclusion = [ { match_variable = "RequestHeaderNames" selector = "x-custom-header" selector_match_operator = "Equals" } ] } ``` -------------------------------- ### Application Gateway Configuration with Rewrite Rules Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/rewrite_rule/README.md This snippet demonstrates a full configuration of an Application Gateway, including backend pools, HTTP settings, listeners, routing rules, and advanced rewrite rule sets for modifying request headers and URL paths. Ensure all prerequisite resources like subnets and resource groups are defined. ```terraform resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" # Backend address pool configuration for the application gateway # Mandatory Input backend_address_pools = { appGatewayBackendPool = { name = "appGatewayBackendPool" ip_addresses = ["100.64.2.6", "100.64.2.5"] #fqdns = ["example1.com", "example2.com"] } } # Backend http settings configuration for the application gateway # Mandatory Input backend_http_settings = { appGatewayBackendHttpSettings = { name = "appGatewayBackendHttpSettings" #Github issue #55 allow custom port for the backend port = 80 protocol = "Http" cookie_based_affinity = "Disabled" request_timeout = 30 connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } # Add more http settings as needed } # frontend port configuration block for the application gateway # WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. # WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 8080 } } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } # Http Listerners configuration for the application gateway # Mandatory Input http_listeners = { appGatewayHttpListener = { name = "appGatewayHttpListener" host_name = null frontend_port_name = "frontend-port-80" } # # Add more http listeners as needed } location = azurerm_resource_group.rg_group.location # provide Application gateway name name = module.naming.application_gateway.name_unique # Routing rules configuration for the backend pool # Mandatory Input request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "appGatewayHttpListener" backend_address_pool_name = "appGatewayBackendPool" backend_http_settings_name = "appGatewayBackendHttpSettings" priority = 100 rewrite_rule_set_name = "my-rewrite-rule-set" } # Add more rules as needed } resource_group_name = azurerm_resource_group.rg_group.name autoscale_configuration = { min_capacity = 2 max_capacity = 3 } # pre-requisites resources input required for the module public_ip_address_configuration = { public_ip_name = "${module.naming.public_ip.name_unique}-pip" } rewrite_rule_set = { ruleset1 = { name = "my-rewrite-rule-set" rewrite_rules = { rule_1 = { name = "rr-x-forwarded-for" rule_sequence = 102 request_header_configurations = { x-forwarded-for = { header_name = "X-Forwarded-For" header_value = "{var_client_ip}" } } } rule_2 = { name = "rr-blog-post-rewrite" rule_sequence = 103 # this example will rewrite the URL path from blogpost.aspx?id=X&title=Y to /blog/{id}/{title} conditions = { blog_path = { variable = "var_uri_path" pattern = ".*blogpost.aspx\\?id=(.*)&title=(.*)" ignore_case = false negate = false } } response_header_configurations = { # example frame embedding protection x-frame-options = { header_name = "X-Frame-Options" header_value = "DENY" } } url = { path = "/blog/{var_uri_path_1}/{var_uri_path_2}" reroute = false } } } } } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Zone redundancy for the application gateway zones = ["1", "2", "3"] } ``` -------------------------------- ### Configure Azure Application Gateway with Standard_v2 SKU Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/simple_http_app_gateway_internal/README.md This snippet shows the configuration of an Azure Application Gateway using the AVM Terraform module. It includes mandatory inputs like backend address pools, HTTP settings, frontend ports, gateway IP configuration, HTTP listeners, and request routing rules. Optional configurations such as autoscaling, WAF settings, private IP configuration, resource locks, public IP address, SKU details, tags, and availability zones are also demonstrated. ```terraform resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" # Backend address pool configuration for the application gateway # Mandatory Input backend_address_pools = { pool-1 = { name = "Pool1" } } # Backend http settings configuration for the application gateway # Mandatory Input backend_http_settings = { port80 = { name = "backend_http_settings-port-80" port = 80 protocol = "Http" cookie_based_affinity = "Disabled" dedicated_backend_connection_enabled = true enable_https = false request_timeout = 30 } # Add more http settings as needed } # WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. # WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 80 } # Add more ports as needed } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } # Http Listerners configuration for the application gateway # Mandatory Input http_listeners = { http_listeners-for-80 = { name = "http_listeners-for-80" # The frontend_port_name must be same as given frontend_port block frontend_port_name = "frontend-port-80" protocol = "Http" } # Add more http listeners as needed } location = azurerm_resource_group.rg_group.location # provide Application gateway name name = module.naming.application_gateway.name_unique # Routing rules configuration for the backend pool # Mandatory Input request_routing_rules = { routing-rule-1 = { name = "Rule1" rule_type = "Basic" # The http_listener_name must be same as given http_listeners block http_listener_name = "http_listeners-for-80" # The backend_address_pool_name must be same as given backend_address_pool block backend_address_pool_name = "Pool1" # The backend_http_settings_name must be same as given backend_http_settings block backend_http_settings_name = "backend_http_settings-port-80" priority = 9 } # Add more rules as needed } resource_group_name = azurerm_resource_group.rg_group.name autoscale_configuration = { min_capacity = 2 max_capacity = 15 } enable_telemetry = var.enable_telemetry frontend_ip_configuration_private = { private_ip_address = "100.64.1.5" private_ip_address_allocation = "Static" } lock = { name = "lock-${module.naming.application_gateway.name_unique}" # optional kind = "CanNotDelete" } # pre-requisites resources input required for the module public_ip_address_configuration = { public_ip_name = "${module.naming.public_ip.name_unique}-pip" } # WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling. sku = { # Accpected value for names Standard_v2 and WAF_v2 name = "Standard_v2" # Accpected value for tier Standard_v2 and WAF_v2 tier = "Standard_v2" # Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU capacity = 0 # Set the initial capacity to 0 for autoscaling } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Optional Input # Zone redundancy for the application gateway zones = ["1", "2", "3"] } ``` -------------------------------- ### Application Gateway HTTP Listeners Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/front_end_ip_private_custom_name/README.md Configures HTTP listeners for the application gateway, associating them with frontend IP configurations and ports. This example shows listeners for both public and private IP configurations with custom names. ```terraform http_listeners = { appGatewayHttpListener_80 = { name = "app-Gateway-Http-Listener-80" frontend_ip_configuration_name = "public-ip-custom-name" host_name = null frontend_port_name = "port_80" }, appGatewayHttpListener_81 = { name = "app-Gateway-Http-Listener-81" frontend_ip_configuration_name = "private-ip-custom-name" host_name = null frontend_port_name = "port_81" } # # Add more http listeners as needed } ``` -------------------------------- ### Set Application Gateway SKU and Capacity Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Define the Application Gateway SKU tier and instance capacity. Only 'Standard_v2' and 'WAF_v2' are supported. Autoscaling overrides fixed capacity. ```hcl # Standard v2 with fixed capacity sku = { name = "Standard_v2" tier = "Standard_v2" capacity = 2 } # WAF v2 with autoscaling (capacity not used) sku = { name = "WAF_v2" tier = "WAF_v2" } ``` -------------------------------- ### Terraform Configuration for Application Gateway Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/selfssl_waf_https_app_gateway/README.md This Terraform configuration sets up an Azure Application Gateway with WAF enabled, routing traffic from your application. It assumes your application runs on virtual machine instances within a scale set, which is added to the default backend pool. Ensure the scale set is updated with the IP or FQDN of the Application Gateway. This example is based on the tutorial from Azure documentation. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 4.0" } random = { source = "hashicorp/random" version = ">= 3.5.0, < 4.0.0" } } } provider "azurerm" { features {} } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" suffix = ["agw"] } # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.11.0" } ``` -------------------------------- ### Configure SSL Certificates for Application Gateway Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Provide SSL certificates for HTTPS listeners. Recommended for production is referencing Key Vault secrets. Inline PFX data is useful for testing. ```hcl # From Azure Key Vault (production-recommended) ssl_certificates = { "app-gateway-cert" = { name = "app-gateway-cert" key_vault_secret_id = azurerm_key_vault_certificate.ssl_cert.secret_id } } # Inline PFX (useful for testing) ssl_certificates = { "self-signed-cert" = { name = "self-signed-cert" data = filebase64("certificate.pfx") password = "P@ssw0rd" } } ``` -------------------------------- ### Define Private Link Configuration with IP Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Configure private link settings, including a name for the configuration and a list of IP configurations. Each IP configuration requires a name, primary status, subnet ID, and IP address allocation method. Static IP addresses are optional. ```hcl set(object({ name = string ip_configuration = list(object({ name = string primary = bool private_ip_address = optional(string) private_ip_address_allocation = string subnet_id = string })) })) ``` -------------------------------- ### Default SKU Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md The default SKU configuration for the Application Gateway, using Standard_v2 name and tier with a capacity of 2. ```json { "capacity": 2, "name": "Standard_v2", "tier": "Standard_v2" } ``` -------------------------------- ### Configure Autoscaling for Application Gateway Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Enable autoscaling for the Application Gateway by defining the minimum and maximum instance capacity. ```hcl autoscale_configuration = { min_capacity = 2 max_capacity = 10 } ``` -------------------------------- ### Default Application Gateway Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/simple_http_host_single_site_app_gateway/README.md This configuration deploys the Application Gateway module in its simplest form. It sets up backend pools, HTTP settings, frontend ports, listeners, and routing rules for basic HTTP traffic. It also includes autoscale configuration and a public IP address. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 4.0" } random = { source = "hashicorp/random" version = ">= 3.5.0, < 4.0.0" } } } provider "azurerm" { features {} } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" suffix = ["agw"] } # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.11.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" # Backend address pool configuration for the application gateway # Mandatory Input backend_address_pools = { appGatewayBackendPool = { name = "appGatewayBackendPool" ip_addresses = ["100.64.2.6", "100.64.2.5"] #fqdns = ["example1.com", "example2.com"] } } # Backend http settings configuration for the application gateway # Mandatory Input backend_http_settings = { appGatewayBackendHttpSettings = { name = "appGatewayBackendHttpSettings" protocol = "Http" cookie_based_affinity = "Disabled" path = "/" request_timeout = 30 #Github issue #55 allow custom port for the backend port = 8080 connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } # Add more http settings as needed } # frontend port configuration block for the application gateway # WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. # WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 8080 } } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } # Http Listerners configuration for the application gateway # Mandatory Input http_listeners = { appGatewayHttpListener = { name = "appGatewayHttpListener" host_name = null frontend_port_name = "frontend-port-80" } # # Add more http listeners as needed } location = azurerm_resource_group.rg_group.location # provide Application gateway name name = module.naming.application_gateway.name_unique # Routing rules configuration for the backend pool # Mandatory Input request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "appGatewayHttpListener" backend_address_pool_name = "appGatewayBackendPool" backend_http_settings_name = "appGatewayBackendHttpSettings" priority = 100 } # Add more rules as needed } resource_group_name = azurerm_resource_group.rg_group.name autoscale_configuration = { min_capacity = 2 max_capacity = 3 } # pre-requisites resources input required for the module public_ip_address_configuration = { public_ip_name = "${module.naming.public_ip.name_unique}-pip" } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Zone redundancy for the application gateway ["1", "2", "3"] zones = ["1", "2", "3"] } ``` -------------------------------- ### Configure HTTP Header and URL Rewrite Rules Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Defines sets of HTTP header and URL rewrite rules. Rules can be conditioned on server variables or URI patterns and execute in `rule_sequence` order. ```hcl rewrite_rule_set = { main_ruleset = { name = "my-rewrite-rule-set" rewrite_rules = { forward_ip = { name = "rr-x-forwarded-for" rule_sequence = 100 request_header_configurations = { xff = { header_name = "X-Forwarded-For" header_value = "{var_client_ip}" } } } blog_rewrite = { name = "rr-blog-post-rewrite" rule_sequence = 110 conditions = { match_blog = { variable = "var_uri_path" pattern = ".*blogpost\.aspx\?id=(.*)&title=(.*)" ignore_case = false negate = false } } response_header_configurations = { frame_options = { header_name = "X-Frame-Options" header_value = "DENY" } } url = { path = "/blog/{var_uri_path_1}/{var_uri_path_2}" reroute = false } } } } } ``` -------------------------------- ### Configure Application Gateway with HTTP Probe Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/simple_http_probe_app_gateway/README.md This configuration sets up a basic Application Gateway with HTTP settings, a frontend port, an HTTP listener, a request routing rule, and a health probe. It includes autoscaling configuration and specifies the SKU as Standard_v2. The probe is configured to check the /health endpoint using HTTP. ```terraform resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" # Backend address pool configuration for the application gateway # Mandatory Input backend_address_pools = { appGatewayBackendPool = { name = "app-Gateway-Backend-Pool" ip_addresses = ["100.64.2.6", "100.64.2.5"] #fqdns = ["example1.com", "example2.com"] } } # Backend http settings configuration for the application gateway # Mandatory Input backend_http_settings = { appGatewayBackendHttpSettings = { name = "app-Gateway-Backend-Http-Settings" port = 80 protocol = "Http" cookie_based_affinity = "Disabled" path = "/" request_timeout = 30 connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } # Add more http settings as needed } # frontend port configuration block for the application gateway # WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. # WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 80 } } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } # Http Listerners configuration for the application gateway # Mandatory Input http_listeners = { appGatewayHttpListener = { name = "app-Gateway-Http-Listener" host_name = null frontend_port_name = "frontend-port-80" } # # Add more http listeners as needed } location = azurerm_resource_group.rg_group.location # provide Application gateway name name = module.naming.application_gateway.name_unique # Routing rules configuration for the backend pool # Mandatory Input request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "app-Gateway-Http-Listener" backend_address_pool_name = "app-Gateway-Backend-Pool" backend_http_settings_name = "app-Gateway-Backend-Http-Settings" priority = 100 } # Add more rules as needed } # pre-requisites resources input required for the module resource_group_name = azurerm_resource_group.rg_group.name autoscale_configuration = { min_capacity = 2 max_capacity = 3 } enable_telemetry = var.enable_telemetry # probe configurations for the application gateway # WAF : Use Health Probes to detect backend availability # # Optional Input probe_configurations = { probe1 = { name = "Probe1" interval = 30 timeout = 10 unhealthy_threshold = 3 protocol = "Http" port = 80 path = "/health" host = "127.0.0.1" pick_host_name_from_backend_http_settings = false # Note on host : The Hostname used for this Probe. If the Application Gateway is configured for a single site, # by default the Host name should be specified as 127.0.0.1, # unless otherwise configured in custom probe. # Cannot be set if pick_host_name_from_backend_http_settings is set to true. # You must provide host value if pick_host_name_from_backend_http_settings is set to false. match = { status_code = ["200-399"] } } } public_ip_address_configuration = { create_public_ip_enabled = false #88 Option to create a new public IP or use an existing one public_ip_resource_id = azurerm_public_ip.public_ip.id } # WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling. sku = { # Accpected value for names Standard_v2 and WAF_v2 name = "Standard_v2" # Accpected value for tier Standard_v2 and WAF_v2 tier = "Standard_v2" # Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU capacity = 0 # Set the initial capacity to 0 for autoscaling } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Optional Input } ``` -------------------------------- ### Configure Global Application Gateway Settings Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Enable or disable request and response buffering for the Application Gateway. These settings are required. ```hcl object({ request_buffering_enabled = bool response_buffering_enabled = bool }) ``` -------------------------------- ### Configure Diagnostic Settings for Application Gateway Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Set up diagnostic settings to send logs and metrics to various destinations. Supports log analytics workspaces, storage accounts, and event hubs. Options include specifying log categories, log groups, metric categories, and destination types. ```hcl map(object({ name = optional(string, null) log_categories = optional(set(string), []) log_groups = optional(set(string), ["allLogs"]) metric_categories = optional(set(string), ["AllMetrics"]) log_analytics_destination_type = optional(string, "Dedicated") workspace_resource_id = optional(string, null) storage_account_resource_id = optional(string, null) event_hub_authorization_rule_resource_id = optional(string, null) event_hub_name = optional(string, null) marketplace_partner_resource_id = optional(string, null) })) ``` -------------------------------- ### Configure HTTP Redirects Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Configures HTTP-to-HTTPS or other redirects. Redirects can target another listener or an explicit URL. Supported redirect types include Permanent, Temporary, Found, and SeeOther. ```hcl redirect_configuration = { http_to_https = { name = "RedirectToHTTPS" redirect_type = "Permanent" # Permanent, Temporary, Found, SeeOther include_path = true include_query_string = true target_listener_name = "appGatewayHttpsListener" } external_redirect = { name = "RedirectToExternal" redirect_type = "Found" target_url = "https://www.example.com" } } ``` -------------------------------- ### Configure Backend HTTP Settings Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Define how the Application Gateway communicates with backend servers, including protocol, port, timeouts, and session affinity. Supports both HTTP and HTTPS configurations, with options for trusted root certificates. ```hcl backend_http_settings = { http_settings_80 = { name = "appGatewayBackendHttpSettings" port = 80 protocol = "Http" cookie_based_affinity = "Enabled" affinity_cookie_name = "ApplicationGatewayAffinity" path = "/" request_timeout = 30 # Pick host from backend server name instead of a fixed host_name pick_host_name_from_backend_address = false host_name = "backend.example.com" connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } https_settings_443 = { name = "httpsBackendSettings" port = 443 protocol = "Https" cookie_based_affinity = "Disabled" request_timeout = 60 trusted_root_certificate_names = ["my-root-cert"] } } ``` -------------------------------- ### Define Public Frontend IP Configuration Name Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Optionally specify the name for the public frontend IP configuration. If not provided, it will be inferred from the resource name. ```hcl string ``` -------------------------------- ### Deploy Application Gateway with Backend Pools Source: https://context7.com/azure/terraform-azurerm-avm-res-network-applicationgateway/llms.txt Configure backend pools for the Application Gateway, specifying backend servers by IP address or FQDN. Ensure Terraform and azurerm provider versions meet the module's requirements. ```hcl module "application_gateway" { source = "Azure/avm-res-network-applicationgateway/azurerm" name = "my-appgw" location = "eastus" resource_group_name = "my-rg" # Backends by IP address backend_address_pools = { pool_ip = { name = "appGatewayBackendPool" ip_addresses = ["10.0.1.4", "10.0.1.5"] } # Backends by FQDN pool_fqdn = { name = "fqdnPool" fqdns = ["app1.internal.example.com", "app2.internal.example.com"] } } # (other required inputs omitted for brevity) } ``` -------------------------------- ### Configure Application Gateway with WAF Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/simple_waf_http_app_gateway/README.md This Terraform configuration sets up an Azure Application Gateway with WAF_v2 SKU. It includes essential components like backend address pools, HTTP settings, frontend ports, listeners, request routing rules, autoscaling, and diagnostic settings for logging. Ensure a WAF policy is created separately and its resource ID is provided. ```terraform resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } module "application_gateway" { source = "../../" # Backend address pool configuration for the application gateway # Mandatory Input backend_address_pools = { appGatewayBackendPool = { name = "appGatewayBackendPool" ip_addresses = ["100.64.2.6", "100.64.2.5"] } } # Backend http settings configuration for the application gateway # Mandatory Input backend_http_settings = { appGatewayBackendHttpSettings = { name = "appGatewayBackendHttpSettings" port = 80 protocol = "Http" path = "/" request_timeout = 30 connection_draining = { enable_connection_draining = true drain_timeout_sec = 300 } } # Add more http settings as needed } # frontend port configuration block for the application gateway # WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. # WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration frontend_ports = { frontend-port-80 = { name = "frontend-port-80" port = 80 } } gateway_ip_configuration = { subnet_id = azurerm_subnet.backend.id } # Http Listerners configuration for the application gateway # Mandatory Input http_listeners = { appGatewayHttpListener = { name = "appGatewayHttpListener" host_name = null frontend_port_name = "frontend-port-80" } # # Add more http listeners as needed } location = azurerm_resource_group.rg_group.location # provide Application gateway name name = module.naming.application_gateway.name_unique # Routing rules configuration for the backend pool # Mandatory Input request_routing_rules = { routing-rule-1 = { name = "rule-1" rule_type = "Basic" http_listener_name = "appGatewayHttpListener" backend_address_pool_name = "appGatewayBackendPool" backend_http_settings_name = "appGatewayBackendHttpSettings" priority = 100 } # Add more rules as needed } resource_group_name = azurerm_resource_group.rg_group.name # WAF : Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules. # Ensure that you have a WAF policy created before enabling WAF on the Application Gateway # The use of an external WAF policy is recommended rather than using the classic WAF via the waf_configuration block. app_gateway_waf_policy_resource_id = azurerm_web_application_firewall_policy.azure_waf.id autoscale_configuration = { min_capacity = 2 max_capacity = 3 } # WAF : Monitor and Log the configurations and traffic diagnostic_settings = { example_setting = { name = "${module.naming.application_gateway.name_unique}-diagnostic-setting" workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id log_analytics_destination_type = "Dedicated" # Or "AzureDiagnostics" # log_categories = ["Application Gateway Access Log", "Application Gateway Performance Log", "Application Gateway Firewall Log"] log_groups = ["allLogs"] metric_categories = ["AllMetrics"] } } enable_telemetry = var.enable_telemetry public_ip_address_configuration = { public_ip_name = "${module.naming.public_ip.name_unique}-pip" } # WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling. sku = { # Accpected value for names Standard_v2 and WAF_v2 name = "WAF_v2" # Accpected value for tier Standard_v2 and WAF_v2 tier = "WAF_v2" # Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU capacity = 0 # Set the initial capacity to 0 for autoscaling } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Optional Input # Zone redundancy for the application gateway ["1", "2", "3"] zones = ["1", "2", "3"] } ``` -------------------------------- ### SKU Configuration for Application Gateway Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Specifies the SKU for the Application Gateway, including name, tier, and capacity. For V2 SKUs, capacity must be between 1 and 125. This configuration is optional if autoscale is set. ```hcl object({ name = string # Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, and WAF_v2 tier = string # Standard, Standard_v2, WAF and WAF_v2 capacity = optional(number, 2) # V1 SKU this value must be between 1 and 32, and 1 to 125 for a V2 SKU }) ``` -------------------------------- ### Enable HTTP/2 Protocol Support Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/README.md Set to true to enable HTTP/2 protocol support for the Azure Application Gateway. Defaults to true. ```hcl bool ``` -------------------------------- ### Configure Azure Application Gateway with WAF v2 SKU Source: https://github.com/azure/terraform-azurerm-avm-res-network-applicationgateway/blob/main/examples/kv_selfssl_waf_https_app_gateway/README.md Defines the Application Gateway resource with WAF v2 SKU, autoscaling capacity, and SSL certificate configuration. Ensure Key Vault is configured to store the SSL certificate. ```terraform resource "azurerm_application_gateway" "app_gateway" { name = "app-gateway" location = "eastus" resource_group_name = "rg-app-gateway" sku { # Accpected value for tier Standard_v2 and WAF_v2 tier = "WAF_v2" # Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU capacity = 0 # Set the initial capacity to 0 for autoscaling } # SSL Certificate Block ssl_certificates = { "app-gateway-cert" = { name = "app-gateway-cert" key_vault_secret_id = azurerm_key_vault_certificate.ssl_cert_id.secret_id } } ssl_policy = { policy_type = "Custom" min_protocol_version = "TLSv1_2" cipher_suites = [ "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] } ssl_profile = { profile1 = { name = "example-ssl-profile" ssl_policy = { policy_type = "Custom" min_protocol_version = "TLSv1_2" cipher_suites = [ "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] } } } tags = { environment = "dev" owner = "application_gateway" project = "AVM" } # Optional Input # Zone redundancy for the application gateway ["1", "2", "3"] zones = ["1", "2", "3"] } ```